Hi mates,
I needed to perform some active directory cleaning.
The most important consideration about this activity is that most of the modern software are continuously in touch with AD, querying it, retrieving data and so on.
To have a partial clean situation we putted in production another script that disables the computer accounts that do not logon to the domain from 90 days.
Having a lot of disabled computers we would like to optimize also the vertical software that rely in AD.
Some of them (antivirus, infrastructure management) scan periodically the directory using LDAP, furthermore some of them don't have a filter to exclude some specific OUs from the scan task.
We decided to move these disabled computer account into a specific OU and modify the ACL for this OU denying the access to the service user account the some specific software use to "talk" with AD.
Anyway a part of the idea of the ACL on the OU the purpose of this simple script is to clean AD.
Here you are :
But it's a base from which you can start for easy and quick tasks.
No complications, no tricks, only the essential.
Hope this helps.
See you soon
No comments:
Post a Comment